From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <elfutils-devel-return-5892-listarch-elfutils-devel=sourceware.org@sourceware.org>
Received: (qmail 46599 invoked by alias); 24 Mar 2017 11:15:28 -0000
Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <elfutils-devel.sourceware.org>
List-Post: <mailto:elfutils-devel@sourceware.org>
List-Help: <mailto:elfutils-devel-help@sourceware.org>
List-Subscribe: <mailto:elfutils-devel-subscribe@sourceware.org>
Sender: elfutils-devel-owner@sourceware.org
Received: (qmail 46474 invoked by uid 89); 24 Mar 2017 11:15:17 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.99.2 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-24.3 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY autolearn=ham version=3.3.2 spammy=H*F:U*mark, U*mjw, H*MI:mark, H*m:mark
X-Spam-Status: No, score=-24.3 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level: 
X-HELO: gnu.wildebeest.org
From: Mark Wielaard <mark@klomp.org>
To: elfutils-devel@sourceware.org
Cc: Mark Wielaard <mark@klomp.org>
Subject: [PATCH] readelf: Fix off by one sanity check in handle_gnu_hash.
Date: Fri, 24 Mar 2017 11:15:00 -0000
Message-Id: <1490354102-21353-1-git-send-email-mark@klomp.org>
X-Mailer: git-send-email 1.8.3.1
X-SW-Source: 2017-q1/txt/msg00109.txt.bz2

We sanity check to make sure we don't index outside the chain array
by testing inner > max_nsyms. But inner is a zero-based index, while
max_nsyms is the maximum number. Change the check to inner >= max_nsyms.

https://sourceware.org/bugzilla/show_bug.cgi?id=21299

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 src/ChangeLog | 5 +++++
 src/readelf.c | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 0601198..9dd76c0 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2017-03-24  Mark Wielaard  <mjw@redhat.com>
+
+	* readelf.c (handle_gnu_hash): Check inner < max_nsyms before
+	indexing into chain array.
+
 2017-02-16  Ulf Hermann  <ulf.hermann@qt.io>
 
 	* addr2line.c: Include printversion.h
diff --git a/src/readelf.c b/src/readelf.c
index 8d96ba3..490b6d5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3263,7 +3263,7 @@ handle_gnu_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
 	    ++nsyms;
 	    if (maxlength < ++lengths[cnt])
 	      ++maxlength;
-	    if (inner > max_nsyms)
+	    if (inner >= max_nsyms)
 	      goto invalid_data;
 	  }
 	while ((chain[inner++] & 1) == 0);
-- 
1.8.3.1